Subtitles of the Movie

Exam objective 1.114.2 has a weight of 3, and verifies the candidates know how to set-up a basic level of host security. This includes configuring syslog for security, setting up shadow passwords, e-mail aliases for root and turning off services not in use. The system log server has one weakness. It will accept a message from anywhere and log it. This leaves an opening for attacks that fill your disk with log entries. To protect your system, you can use IP tables to setup packet filters to limit the sources of log messages. You will need to brush up on TC wrappers and how they work before you implement packet filters. Most Linux installations have the password shadowed by default but if not, you can do it yourself. The user and group passwords are traditionally stored in the password and group files but you can have them stored in other files, in shadow files. These files contain only the passwords in their encrypted form. The first two files can always be read by anybody but the shadow files are protected and can only be read by the root. You can convert from one form of the passwords to the other by using the password conversion programs. There are two for the user and two for the group. These same programs can be used to set the number of days that elapse before a password change is required. It's a simple matter to block all logins accept root. If this file exists, only root is allowed to login. With any other attempt to login, the user will be politely refused and shown the contents of the file. You don't want to have any daemon processes running that you don't use. It's easy enough to look in the RC directories and make sure that no daemons you don't want started or getting started, but don't forget inetd. Look in these files, the ones that can configure inetd and xinetd and make sure you don't have any extraneous services available. If you don't need them, don't run them. A number of applications report problems by sending an e-mail message, sometimes to a special recipient and sometimes to root. You can set it up so that you get all of this e-mail. The aliases file redirects e-mail. This is my aliases file. You can see that a number of addresses are all redirected to root and in the last line of the file, all-root e-mail is redirected to me. This is because I am not always logged in as root, and I want to be notified if something is wrong. Review the security of your systems. In particular, check the aliases file on all the computers in your local network and make sure all the messages aimed at root are redirected to you on your primary machine.